CYBEREYE

Future of cybersecurity lost in legislative limbo

As administration moves forward, legislation is put on back burner

At last count, there were more than 40 bills, resolutions and amendments dealing with cybersecurity pending in the House and Senate. They offer funding for cybersecurity research and development, deplore developments in China, establish new consumer protections, update government regulations, and create new executive oversight authority.

But none of these seems to be heading for passage anytime soon. And by this date in an election year, soon is the only time left. With the campaign season already under way and summer recesses coming up, the 111th Congress soon will be history, and everything will then need to start over.

During an administration that has declared cybersecurity a major national security issue and at a time when the term "cyber war" is cropping up in headlines and on talk shows, when the Internet is becoming synonymous with identity theft and phishing is being spelled with a “ph” as often as an “f,” why is this so?


Related stories

FISMA gets the tools to do the job

New cybersecurity coordinator says he has the president’s ear


Despite the rising profile of cybersecurity, it apparently still is not a sexy issue politically. Senators and representatives tread delicately through the minefields of health care, financial regulation and immigration because anything they say can and will be used against them in the coming election, and neutrality is not an option. But being on the wrong — or right — side of cyber defense is not likely to lose anyone many votes, so it is not a high priority.

Perhaps the more important question is: Does this matter?

Probably not. There are some important cybersecurity issues that should be addressed, and the most critical of them are being addressed through regulatory rather than legislative channels.

For instance, the Federal Information Security Management Act is in need of an update. But while Congress proposes, the White House disposes, with new standards for FISMA reporting that require agencies to shift from paper-based annual reports to real-time data feeds of system status. The new standards, issued through the Office of Management and Budget in April, are part of a much-needed move away from paper-based compliance to real-time visibility and automated security systems.

And the Executive Cyberspace Authorities Act of 2010 (H.R. 5247) introduced in May by Rep. James Langevin (D-R.I.), would establish a White House National Cyberspace Office for coordinating national cybersecurity policy. The director would have a seat on the National Security Council and would coordinate defense of government networks in case of an attack.

But President Barack Obama appointed a White House cybersecurity coordinator this year. Although he does not have the budget authority the NCO director would have, OMB does have this authority under FISMA. Langevin’s proposal might well have merit, but even though it took the president nearly a year to name a cybersecurity coordinator, the administrative track is proving more flexible and speedy than the legislative one.

There are some issues that could benefit from Congress’ attention, such as a national standard for data breach notification and protection of sensitive personal information. That is covered by a patchwork of state laws. But even in that case, holders of personal information can avoid confusion simply by adopting the highest standards practical and doing their best to avoid breaches.

Mark Twain said “no man's life, liberty or property are safe while the legislature is in session.” I wouldn’t go that far. But there are good avenues for regulating cybersecurity without new legislation.

Reader Comments

Mon, Jun 28, 2010

DoD contractors need another "war"... so they have cooked up "cyberwar" as the next thing to keep their welfare machine humming.. i say take it slow, steady as she goes... let the behemoths get rid of their dead wood and shims before another dollar of pork is approved.

Fri, Jun 11, 2010

The OMB legislation to move away from paper-based compliance/reliance is only a half-truth. Yes, the feds need more continuous monitoring to address the persistent threat vector. Heck, everyone on the Internet does… However, without the certification and accreditation process (a.k.a. the paper-based way of securing systems) that makes it possible for agencies to run a secure environment will cost us more in blood and treasure down the road if it does not continue to be an integral part of our Nation’s security equation.
Do the people who are making the decisions honestly believe that by installing programs to run continuous scans of systems will make our Nation’s assets more secure without leveraging the proven C&A processes to do so? Maybe some people believe this will enable us to win the “cyber war”, but it will only make cover us from one perspective…
What about the human element? Without the people who are knowledgeable about the systems CONOPS, configurations, contingency plans, system rules of behavior, data inputs and outputs, diagram constructs, whether a port is approved or not approved, what good will all of this continuous monitoring be? To top it all off, will these continuous monitoring applications be able to conduct interviews with the code developers to ensure the code base was actually secured in a verifiable manner throughout each phase of the SDLC (i.e., baking security in versus bolting it on)? The simple answer to all of this is a solid no. Let us not forget the defense-in-depth strategy. It will be broken if the paper (i.e., hard work) is removed from this seemingly “silver bullet” C&A equation of continuous monitoring… And as Paul Harvey use to say, “That’s the rest of the story”.

Tue, Jun 8, 2010

In some ways, analog is better!

Tue, Jun 8, 2010 Bob Radvanovsky Chicago, IL

It is amazing that with every new administration, the same 'ol crap keeps arising. All Congress and the U.S. government has done is substitute "jihad" for "cyber war", "terrorist" replaced by "cyber criminal" or "cyber terrorist". As an infrastructure researcher, we need to focus more about fixing our Nation's resources: our infrastructures. I realize that the line between data and asset has become (albeit) somewhat blurred, but this does not mean that "cyber security" should be the center of our infrastructures. When we have managed to secure the Internet within the United States, and another "Katrina" follows, will Congress and the U.S. government be able to label it as a "cyber incident"? Oh...wait, it has: it's the BP Gulf Oil spill!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above